Hi everyone,
I’ve got HAProxy setup already with PfSense doing HTTP>HTTPS direction and all for a handful of internal hosted sites. However I’m currently setting up Vaultwarden, and I can’t seem to figure out the right config to make it work.
Info here on the requirements: Enabling WebSocket notifications · dani-garcia/vaultwarden Wiki · GitHub
And two examples here at the bottom: Proxy examples · dani-garcia/vaultwarden Wiki · GitHub
To me it seems those examples are from an older version which uses a different formatting?
But using the GUI in pfsense, I don’t seem to be able to make either of those examples work for me, with my most recent attempt being:
I’ve tried multiple varieties, depending on which then when I navigate to /notificaitons/hub I either get a page with nothing but {} on… or 503 No server is available to handle this request… which feels like it might be the right one, yet no joy.
I’m sure this is simple, but I just can’t crack it! Any help would be appreciated!
…And then just like that… I figured it out. For anyone else in the future, i’ll post this in a few places too:
In your FrontEnd, you need to have 4 separate Actions; ACL1, ACL2, ACL3, ACL4; where 1&2 point to your normal Backend, and 3&4 point to the Notifications backend. Then 4 ACL’s like so:
Also, ensure Default backend is set to the normal one. (i’m not overly fond of this, but only way I can get it to work currently)
1 Like
I’ve updated the examples page to include this
1 Like
Just a note for anyone in the future… check out the proxy examples link, i’ve updated it with a better configuration.
Having a little bit of trouble, running Proxmox and have a VaultWarden LXC container spun up and trying to use HAProxy + pfSense and I can’t seem to get this working for some reason. I have plenty of other HAProxy for internal/external but can’t seem to get this working.
Here are my configuration inside HA Proxy in pfSense any help would be appreciated.
Looks like the first one with Hostmatch might be the problem, work if you remove it?
You also haven’t got one for the Admin page, did you follow the example I posted on the wiki?
Hi Rich,
can I ask you a few questions regarding the setup with HAProxy on pfsense?
I’m very new to HAproxy and Vaultwarden, so there might be some basic knowledge questions 
I have set up the entries like mentioned in this guide: pfSense-2.4 + HAProxy - A walkthrough on how to proxy https traffic to multiple sites
Did you also make the shared frontend?
I’m running Vaultwarden and Portainer on a Pi4 and setup a reverse proxy for Portainer on port 9000.
I can reach Portainer via the desired subdomain.
I then tried to setup the entries according to your guide, but when I try to connect to Vaultwarden via my desired subdomain, I get 503.
I can reach the Bitwarden homepage locally on port 80, but when I try to create an Account, it doesn’t work - nothing loads after the “create account” button press.
When I try to create an account locally on the Vaultwarden homepage (port 8080), I get this error: “This browser requires HTTPS to use the web vault”.
Not sure if those two problems are related.
Cheers,
Limestone
Try to use code below to reconfigure your current haproxy.cfg:
frontend https-in
bind *:80 name http
bind *:443 ssl crt-list /etc/haproxy/crt-list.cfg alpn h2,http/1.1 name https
mode http
use_backend bitwarden_ws_backend if { hdr(Host) -i bitwarden.domain.tld } !{ path_beg /notif>
use_backend bitwarden_backend if { hdr(Host) -i bitwarden.domain.tld }
backend bitwarden_ws_backend
server bitwarden_ws_server 192.168.80.100:80
http-request redirect scheme https code 301 if !{ ssl_fc }
backend bitwarden_backend
server bitwarden_server 192.168.80.100:80 check
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request deny if { path_beg /admin }
Take into consideration that websocket part must be always defined first, because order has meaning.
